NANOG transition update
A lot of progress has been made since NANOG 51, so I'd like to share this update with the community. * Association management contract We recently completed our RFP and selection process, and have contracted with Association Management Solutions (http://www.amsl.com) to provide association management and meeting support services for NANOG. We are excited to be working with AMS, as they have an excellent set of management and IT services which are very good fits to our needs. AMS might already be familiar to some of our community, as they have providing IETF secretariat services for the past several years. Representatives from AMS will be with us in Denver to observe the conference and meet the community. Over the next couple of months our meeting registration, membership, mailing list and finance systems will be migrated to AMS infrastructure. The transition has already started, and will be completed in time for the start of registration for the NANOG53 meeting. We'll share more details of the transition process as they become available. * NANOG Intellectual Property All of the NANOG intellectual property originated by Merit Network, including the name, domain, logos, mailing lists and archives, have been transferred to NewNOG. This means that we _are_ NANOG! We expect that the interim name NewNOG will eventually go away. * Non-profit status NewNOG, Inc. has been recognized by the IRS as a 501(c)(3) charitable organization. (See http://www.newnog.org/docs/IRSletter.pdf for the IRS determination letter.) This means that individual donations might be tax-deductible. * Future conferences Work continues on securing hosts and venues for future NANOG conferences. The current list of future events is at http://www.nanog.org/meetings/future/, and we expect to have the October 2012 meeting ready to announce in the next few weeks. And if you haven't already registered, please plan to join us at NANOG52 in Denver next month! The Program Committee has published a great agenda, and the hotel block is filling fast. The hotel group rate expires on May 29, and the conference registration fee goes up on June 4, so please register soon! More information is at http://www.nanog.org/meetings/nanog52/. We welcome any questions or comments, and we'll give another update at the community meeting in Denver. For the board, Steve Feldman, chair
Re: Rogers Canada using 7.0.0.0/8 for internal address space
On 5/23/2011 10:34 PM, Owen DeLong wrote: Diluted IPv4 is one thing. Hijacking space allocated to another entity is another. As long as they keep it contained within their network, it's pretty much up to them to break their own environment however they see fit, but, if they start leaking 7.0.0.0/8 or subset announcements on to the internet in general, I wouldn't want to be them or one of the companies that was accepting their routes. I ran into this issue with a service provider that wanted to set up point of sale terminals on our campus. They were using DoD address space in their inside network, and they ordered ISDN connectivity from our site back to their network. The point of sale terminals were connected on our campus network. They wanted me to set a static route on my network backbone that pointed all of the hijacked DoD address space to this ISDN line. Of course, I told them no. The university I was working for at the time had some DoD contracts, and I was afraid that it might break legitimate traffic. Plus, I thought this was a really bad network design. The service provider was not very happy. It is interesting that I'm not the only one that has come across this problem. -- Byron L. Hicks Google Voice: 972-746-2549 aim/skype: byronhicks
RE: Rogers Canada using 7.0.0.0/8 for internal address space
-Original Message- From: Byron L. Hicks [mailto:by...@byronhicks.com] I ran into this issue with a service provider that wanted to set up point of sale terminals on our campus. They were using DoD address space in their inside network, and they ordered ISDN connectivity from our site back to their network. The point of sale terminals were connected on our campus network. They wanted me to set a static route on my network backbone that pointed all of the hijacked DoD address space to this ISDN line. Of course, I told them no. The university I was working for at the time had some DoD contracts, and I was afraid that it might break legitimate traffic. Plus, I thought this was a really bad network design. The service provider was not very happy. I see why they may do this. They have likely had issues with overlapping 1918 space in previous networks, so they thought Oh, we'll nick this space, it's DoD and nobody will ever use it... and it's all fine, until somebody uses it. It's just a really lazy way of getting things done that is likely to come and bite you sooner or later. So you said NO, and what did they do about it ? -- Leigh Porter __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __
Re: Rogers Canada using 7.0.0.0/8 for internal address space
On 5/24/2011 9:13 AM, Leigh Porter wrote: So you said NO, and what did they do about it ? It forced them to put in their own ISDN router, and they put static routes on the point of sale terminals that pointed the borrowed IP space to the ISDN router. There was no way I was going to put this in the routing tables of my campus routers. -- Byron L. Hicks Google Voice: 972-746-2549 aim/skype: byronhicks
Re: Rogers Canada using 7.0.0.0/8 for internal address space
On Mon, May 23, 2011 at 12:28 PM, Mark Farina markfarin...@gmail.com wrote: As of April 27th I have started to receive dhcp broadcast requests originating from the 7.0.0.0/8 network. Based on MAC addresses, it seems that this is communication between the Rogers border/node hardware (MAC assigned to Cisco) and my Motorola cable modem. Is the DoD releasing this range to Rogers? Or has Rogers squatted on this space due to exhaustion of their 10/8 use? We've seen other vendors and ISP squat on previously unused ranges (the 1/8 or 5/8s). Could they not wrap their internal cable modem to node chatter in IPv6, instead of using assigned address space? Squatting resources from an organization that can deploy F/A-18 Hornets, F/A-22 Raptors, Predator drones or Navy SEALs is probably bad to your health. Rubens
Re: Rogers Canada using 7.0.0.0/8 for internal address space
On May 24, 2011, at 7:56 AM, Rubens Kuhl wrote: On Mon, May 23, 2011 at 12:28 PM, Mark Farina markfarin...@gmail.com wrote: As of April 27th I have started to receive dhcp broadcast requests originating from the 7.0.0.0/8 network. Based on MAC addresses, it seems that this is communication between the Rogers border/node hardware (MAC assigned to Cisco) and my Motorola cable modem. Is the DoD releasing this range to Rogers? Or has Rogers squatted on this space due to exhaustion of their 10/8 use? We've seen other vendors and ISP squat on previously unused ranges (the 1/8 or 5/8s). Could they not wrap their internal cable modem to node chatter in IPv6, instead of using assigned address space? Squatting resources from an organization that can deploy F/A-18 Hornets, F/A-22 Raptors, Predator drones or Navy SEALs is probably bad to your health. It's been a while since we fought a war with canada. http://en.wikipedia.org/wiki/Pig_War Rubens
Re: Rogers Canada using 7.0.0.0/8 for internal address space
On Tue, 24 May 2011 08:42:45 -0700 Joel Jaeggli joe...@bogus.com wrote: It's been a while since we fought a war with canada. http://en.wikipedia.org/wiki/Pig_War Should we start locking up our pigs? Then there was the War of 1812 where both side claimed to have won thus starting the age of spin doctoring. -- D'Arcy J.M. Cain da...@druid.net | Democracy is three wolves http://www.druid.net/darcy/| and a sheep voting on +1 416 425 1212 (DoD#0082)(eNTP) | what's for dinner.
New vyatta-nsp list
Hello All: There is a new Vyatta NSP list, sponsored by Jared on puck.nether.net. If you are running Vyatta hardware and/or software please join and share your questions, comments and experiences. http://puck.nether.net/mailman/listinfo/vyatta-nsp Regards, Mike
Re: Rogers Canada using 7.0.0.0/8 for internal address space
On Tue, May 24, 2011 at 8:54 AM, Paul Graydon p...@paulgraydon.co.uk wrote: On 5/24/2011 4:17 AM, Byron L. Hicks wrote: On 5/24/2011 9:13 AM, Leigh Porter wrote: So you said NO, and what did they do about it ? It forced them to put in their own ISDN router, and they put static routes on the point of sale terminals that pointed the borrowed IP space to the ISDN router. There was no way I was going to put this in the routing tables of my campus routers. So rather than fix the real problem, they added an additional bodge? Why am I not surprised? There is no fixing the lack of IPv4, just more band-aids. IPv4 has been scarce for the last 10 years that i have been in this industry. I remember one of my first jobs was assigning IP addresses to customers at an ISP and people on the other end of the phone throwing chairs in anger because they can't launch their web site until i received their detailed justification for more ipv4 addresses. That was 10 years ago. Yes, the issue before was people being lazy and not wanting to do the paper work or working the system (because IPv4 was scarce then too). Now, there is legitimately not enough space for folks to deploy IPv4 in fast growing edges of the network like M2M (this includes point of sale), mobile, cloud, and many other places and there is no time to get in thumb wrestling wars with ARIN over what is used where (boss wants it done yesterday) It will get worse before it gets better. Cameron
Re: Rogers Canada using 7.0.0.0/8 for internal address space
On 5/24/11 10:07 AM, Cameron Byrne wrote: There is no fixing the lack of IPv4, just more band-aids. IPv4 has been scarce for the last 10 years that i have been in this industry. I remember one of my first jobs was assigning IP addresses to customers at an ISP and people on the other end of the phone throwing chairs in anger because they can't launch their web site until i received their detailed justification for more ipv4 addresses. That was 10 years ago. Yes, the issue before was people being lazy and not wanting to do the paper work or working the system (because IPv4 was scarce then too). Now, there is legitimately not enough space for folks to deploy IPv4 in fast growing edges of the network like M2M (this includes point of sale), mobile, cloud, and many other places and there is no time to get in thumb wrestling wars with ARIN over what is used where (boss wants it done yesterday) It will get worse before it gets better. I think the appropriate phrase here is, Your lack of planning does not constitute an emergency on my part. -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org/ http://www.ahbl.org
Re: Rogers Canada using 7.0.0.0/8 for internal address space
Is the DoD releasing this range to Rogers? Or has Rogers squatted on this space due to exhaustion of their 10/8 use? We've seen other Squatting resources from an organization that can deploy F/A-18 Hornets, F/A-22 Raptors, Predator drones or Navy SEALs is probably bad to your health. It's been a while since we fought a war with canada. http://en.wikipedia.org/wiki/Pig_War I haven't read any formal declaration of war from the US regarding Pakistan, and that haven't helped an infamous citizen of being killed there by DoD assets... on the other hand, it's safer for an american company to squatt DoD number resources than a canadian one, due to Posse Comitatus. Rubens
EAP-SIM authentication for WiFi networks
Can anyone share a working model / solution for EAP-SIM authenticated smart phones on Wi-Fi networks? (Or even EAP-AKA?) i.e. instead of having to login a portal with a user / password or pre-authenticate MAC addresses, have it be seemless if they are already a subscriber. ATT does this with the WISPr client on the iPhones, but I was hoping for something that worked across the board with Android devices for a given carrier. Any suggestions here on who I might talk to? -- Also on LinkedIn? Feel free to connect if you too are an open networker: scubac...@gmail.com
Re: rwhois website
On 5/21/11 9:54 AM, sth...@nethelp.no sth...@nethelp.no wrote: The DNS info for rwhois.net is seriously screwed (NS info points to ns{1,2}.verisignlabs.com - which don't exist according to the servers for verisignlabs.com). Why do you waste your time on rwhois? Despite RWhois being really old, creaky, and hard to use; people are using it and there is no current replacement (Whois-RWS looks extremely promising). To that end, we are working with VeriSign Inc to migrate the domain rwhois.net to ARIN. We moved the website to ARIN a couple of years ago but the domain has not yet made it. Regards, Mark ARIN CTO
Re: Rogers Canada using 7.0.0.0/8 for internal address space
On Tue, 24 May 2011 10:59:18 PDT, Owen DeLong said: Squatting resources from an organization that can deploy F/A-18 Hornets, F/A-22 Raptors, Predator drones or Navy SEALs is probably bad to your health. I tend to doubt it. I'm pretty sure the DoD has the phone number to the FBI. Yes, but the FBI just shows up with several agents in dark sunglasses and suits and surgically removed senses of humor. Bad news, but it still doesn't ruin your day like a Predator drone suddenly appearing outside your window... pgpz5IQhmw0yb.pgp Description: PGP signature
Re: HIJACKED: AS18466, courtesy of Global Crossing (AS3549)
Hello Ronald, disclaimerI do work for LACNIC/disclaimer sorryi'm really late in my NANOG followups/sorry P.P.S. Although I have previously bemoaned ARIN's lack of agressivness in reclaiming abandoned ASNs and IP blocks that have been hijacked, I feel compelled to note that at least they (ARIN) do have a proccess in place for doing so, i.e. when and if they are motivated in that direction. I have it on good authority however that LACNIC does not even have an established process for reclaiming abandoned number resources. Given that the problem of hijacked number resources, rather than disappearing, is in fact accelerating, over time, I do believe that it would behove LACNIC and other RiRs to develop processes for reclaiming abandoned resources, in particular when and where it becomes evident that these resources have been hijacked. I would like to get in touch with the good authority you mention as he/she seems to be quite misinformed. LACNIC has, and has applied in the past, policies and procedures for resource recovery due to abandonment and other issues. The original resource recovery policy is LACNIC-2009-06 and the English text can be found here: http://www.lacnic.net/en/politicas/manual7-1.html You can also find the list of recovered prefixes and ASNs here http://www.lacnic.net/en/registro/revocacion.html I am not the expert on how the recovery process actually works but I can get you or the person who mentioned this alleged lack of process to you in touch with the staff who actually do work with resource recovery. regards Carlos -- -- = Carlos M. Martinez-Cagnazzo http://www.labs.lacnic.net =
Godwin was here ... was Re: Rogers Canada using 7.0.0.0/8
In reference to recent messages: I tend to doubt it. I'm pretty sure the DoD has the phone number to the FBI. Yes, but the FBI just shows up with several agents in dark sunglasses and suits and surgically removed senses of humor. Bad news, but it still doesn't ruin your day like a Predator drone suddenly appearing outside your window... http://en.wikipedia.org/wiki/Godwin%27s_Law -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis NeuStarYou can leave a voice message at +1-571-434-5468 Now, don't say I'm always complaining. Wait, that's a complaint, isn't it?
Re: EAP-SIM authentication for WiFi networks
On 5/24/2011 1:48 PM, Rogelio wrote: Can anyone share a working model / solution for EAP-SIM authenticated smart phones on Wi-Fi networks? (Or even EAP-AKA?) i.e. instead of having to login a portal with a user / password or pre-authenticate MAC addresses, have it be seemless if they are already a subscriber. ATT does this with the WISPr client on the iPhones, but I was hoping for something that worked across the board with Android devices for a given carrier. Any suggestions here on who I might talk to? While this may not answer your question directly, I know that JANET eduroam just announced EAP-SIM service: http://billstarnaud.blogspot.com/2011/05/uk-r-network-janet-3g-service.html Maybe there is some useful information here.
Re: New vyatta-nsp list
I had a Juniper sales rep laugh at me when I asked for a comparison of their SRX series to Vyatta, as he had never heard of Vyatta. Anyone have an opinion on Vyatta's software/appliances? Specifically their 3520 ? On 05/24/2011 10:59 AM, Michael K. Smith - Adhost wrote: Hello All: There is a new Vyatta NSP list, sponsored by Jared on puck.nether.net. If you are running Vyatta hardware and/or software please join and share your questions, comments and experiences. http://puck.nether.net/mailman/listinfo/vyatta-nsp Regards, Mike
Re: New vyatta-nsp list
On Tue, 24 May 2011 14:42:02 CDT, Rhys Rhaven said: I had a Juniper sales rep laugh at me when I asked for a comparison of their SRX series to Vyatta, as he had never heard of Vyatta. Danger, Will Robinson! Danger! :) pgpSSr1Ct0Nkg.pgp Description: PGP signature
Re: New vyatta-nsp list
On Tue, May 24, 2011 at 12:42 PM, Rhys Rhaven r...@rhavenindustrys.com wrote: I had a Juniper sales rep laugh at me when I asked for a comparison of their SRX series to Vyatta, as he had never heard of Vyatta. Anyone have an opinion on Vyatta's software/appliances? Specifically their 3520 ? On 05/24/2011 10:59 AM, Michael K. Smith - Adhost wrote: Hello All: There is a new Vyatta NSP list, sponsored by Jared on puck.nether.net. If you are running Vyatta hardware and/or software please join and share your questions, comments and experiences. http://puck.nether.net/mailman/listinfo/vyatta-nsp Regards, Mike Well, with the new Juniper entry level MX devices out now, the cost difference between Vyatta and Juniper is probably insignificant now, and with Juniper devices, you have much higher PPS rate. Granted, I have Vyatta devices now doing BGP, and they work fine, but you can't argue that ASICs can forward much faster than a general purpose CPU :) To each their own -- Brent Jones br...@servuhome.net
RE: Rogers Canada using 7.0.0.0/8 for internal address space
I think those within the organization that deploy those vehicles or are Navy SEALs might sit at different lunch tables than the guys worried about IP address collisions. ;-) -Vinny -Original Message- From: Rubens Kuhl [mailto:rube...@gmail.com] Sent: Tuesday, May 24, 2011 10:57 AM To: Nanog Subject: Re: Rogers Canada using 7.0.0.0/8 for internal address space On Mon, May 23, 2011 at 12:28 PM, Mark Farina markfarin...@gmail.com wrote: As of April 27th I have started to receive dhcp broadcast requests originating from the 7.0.0.0/8 network. Based on MAC addresses, it seems that this is communication between the Rogers border/node hardware (MAC assigned to Cisco) and my Motorola cable modem. Is the DoD releasing this range to Rogers? Or has Rogers squatted on this space due to exhaustion of their 10/8 use? We've seen other vendors and ISP squat on previously unused ranges (the 1/8 or 5/8s). Could they not wrap their internal cable modem to node chatter in IPv6, instead of using assigned address space? Squatting resources from an organization that can deploy F/A-18 Hornets, F/A-22 Raptors, Predator drones or Navy SEALs is probably bad to your health. Rubens smime.p7s Description: S/MIME cryptographic signature
Re: New vyatta-nsp list
On May 24, 2011, at 2:26 PM, Brent Jones wrote: Well, with the new Juniper entry level MX devices out now, the cost difference between Vyatta and Juniper is probably insignificant now, and with Juniper devices, you have much higher PPS rate. Granted, I have Vyatta devices now doing BGP, and they work fine, but you can't argue that ASICs can forward much faster than a general purpose CPU :) To each their own So the applications where I've deployed vyatta have a lot to do with having a topological need for a router/firewall/ipsec tunnel termination point in a VM. Im some cases I'm not particularly proud of the results. but it's not a use case that juniper presently addresses. devices down in srx210/240/ja2320 land are a rather different keetle of fish in comparision to an mx80/mx240. -- Brent Jones br...@servuhome.net
Re: New vyatta-nsp list
I won't argue that an ASIC isn't faster, but it is hard to argue that Vyatta isn't capable of high-end performance. http://download.intel.com/embedded/processor/solutionbrief/322973.pdf aeh - mpps - mega packets per second - is really low. and the gbps scale in figure 4 is wrong - factor 10 to high. 1gige linerate: 1,9mpps 10gige linerate:19mpps and intel is proud to achieve 1,6mpps at 2 10gige cards? I have seen higher values at pc hardware - but still not compareable to asics. Kind regards, Ingo Flaschberger
Re: Netflix Is Eating Up More Of North America's Bandwidth Than AnyOther Company
On May 18, 2011, at 3:06 AM, Leigh Porter wrote: -Original Message- From: Carl Rosevear [mailto:crosev...@skytap.com] Eating Up sounds so overweight and unhealthy. Since a good number of us get paid for delivering bits, isn't this a good thing? Always glad to see bits and dollars flowing into the Internet, personally. However must express severe dissatisfaction with the topic of the thread a while ago referencing Comcast trying to charge providers for delivery over their network. Maybe I'm wrong, but I'm pretty happy with the current model... even if it means a $5/month residential rate hike (or something). --C Well it depends if Netflix pay for the bandwidth they use or if they get it all for free with non settlement peering. If, suddenly, your business model breaks because of a huge demand for high bandwidth services by your customers then either you need to charge your customers more or Netflix (or whoever) need to share the pie. Netflix is hosted in ec2 and they use a lot of CDN. not sure that it's germain to the question of access to customers to measure which direction the money changes hands -- Leigh Porter __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __
Re: New vyatta-nsp list
On Tue, May 24, 2011 at 2:54 PM, Jon Bane j...@nnbfn.net wrote: On Tue, May 24, 2011 at 5:26 PM, Brent Jones br...@servuhome.net wrote: Well, with the new Juniper entry level MX devices out now, the cost difference between Vyatta and Juniper is probably insignificant now, and with Juniper devices, you have much higher PPS rate. Granted, I have Vyatta devices now doing BGP, and they work fine, but you can't argue that ASICs can forward much faster than a general purpose CPU :) To each their own -- Brent Jones br...@servuhome.net I won't argue that an ASIC isn't faster, but it is hard to argue that Vyatta isn't capable of high-end performance. http://download.intel.com/embedded/processor/solutionbrief/322973.pdf The graphs show near 100% CPU usage at small packet sizes, and low PPS. That would lead to a pretty easy to launch DDoS against a software based router platform. Since there isn't a separation between control plane/forwarding plane, an attacker could trivially take you offline. I'd imagine due to the nature of x86 platform, being interrupt based and forwarding table residing in memory the CPU has to access, theres a finite amount you can scale this without risking big disruptions from a relatively small DDoS. Not saying software platforms can't achieve good throughput, there has to be a realization of the limits of the platform, and when it shouldn't be used. Again, I personally use the Vyatta commercial software, and it works great, so I'm not knocking it. But I wouldn't consider it high-end performance when a few million PPS can lead to service disruptions. -- Brent Jones br...@servuhome.net
Re: Rogers Canada using 7.0.0.0/8 for internal address space
On Tue, May 24, 2011 at 4:34 PM, vinny_abe...@dell.com wrote: I think those within the organization that deploy those vehicles or are Navy SEALs might sit at different lunch tables than the guys worried about IP address collisions. ;-) The F/A-18 Hornets, F/A-22 Raptors are well, and good, but that's old technology. The folks in charge of the MQ-1 predator drones might sit closer to the guys worried about the IP addresses. And automated drone strikes can always be blamed on a malfunction caused by the hijacking I would speculate they are probably capable of targetting routers improperly using their subnet, if the right folks feel it's necessary, and the routers are located in the right country. I suspect they're more likely to attempt the more civilized professional things any other government org would though, such as calling the hijacker's NOC, calling upstreams to de-peer the hijacker, sending out field agents to have a little 'chat' -Vinny -- -JH
Re: Rogers Canada using 7.0.0.0/8 for internal address space
- Original Message - From: Jimmy Hess mysi...@gmail.com On Tue, May 24, 2011 at 4:34 PM, vinny_abe...@dell.com wrote: I think those within the organization that deploy those vehicles or are Navy SEALs might sit at different lunch tables than the guys worried about IP address collisions. ;-) The F/A-18 Hornets, F/A-22 Raptors are well, and good, but that's old technology The folks in charge of the MQ-1 predator drones might sit closer to the guys worried about the IP addresses. And automated drone strikes can always be blamed on a malfunction caused by the hijacking If packets that control armed drones cross any router that has access even to SIPRnet, much less the Internet, someone's getting relieved. Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
Re: Netflix Is Eating Up More Of North America's Bandwidth Than Any Other Company
On Tue, May 24, 2011 at 08:12:31PM -0400, Max wrote: Was PBS one of the companies you are referring to? A colleague of mine worked as a developer on a project at PBS in the 90s that used the blanking interval for Internet transmissio - very cool stuff. snip The one that was _much_ more interesting was the one that Lauren Weinstein had a hand in. It piggy-backed a Usenet feed in the vertical blanking interval of several big independant TV stations -- ones that were carried by practically every cable company in the country. Distribution to the cable companies was via satellite, but the USENET feed, being _part_ of the video signal, consumed _zero_ additional bandwidth, and rode the satellite links for free. To get the feed, all you needed was a TV tuner with 'video out', and the purpose-huilt decoder box that extracted the vertical interval data. This service died as the independants moved to encrypted transmission, because the encryption did _not_ perserve anything in the 'blanking' timeslot. only the 'viewable' field-image was trasmitted, _as_ a full-field image. Sync, blanking, etc. was _locally_ generated on the receiving end. An elegant idea, done in by changing technology. *sigh* As USENIX director I sponsored and sheparded this project, called Stargate. We at least got bits into the blanking interval at WTBS in Altanta. -- -=[L]=- Hand typed on my Remington portable Real data are normal in the middle and Cauchy in the tails.
Re: Rogers Canada using 7.0.0.0/8 for internal address space
On May 24, 2011, at 9:29 06PM, Jay Ashworth wrote: - Original Message - From: Jimmy Hess mysi...@gmail.com On Tue, May 24, 2011 at 4:34 PM, vinny_abe...@dell.com wrote: I think those within the organization that deploy those vehicles or are Navy SEALs might sit at different lunch tables than the guys worried about IP address collisions. ;-) The F/A-18 Hornets, F/A-22 Raptors are well, and good, but that's old technology The folks in charge of the MQ-1 predator drones might sit closer to the guys worried about the IP addresses. And automated drone strikes can always be blamed on a malfunction caused by the hijacking If packets that control armed drones cross any router that has access even to SIPRnet, much less the Internet, someone's getting relieved. http://www.eweek.com/c/a/Security/Militants-Hack-Unencrypted-Drone-Feeds-477219/ --Steve Bellovin, https://www.cs.columbia.edu/~smb
RE: New vyatta-nsp list
The graphs show near 100% CPU usage at small packet sizes, and low PPS. That would lead to a pretty easy to launch DDoS against a software based router platform. Since there isn't a separation between control plane/forwarding plane, an attacker could trivially take you offline. I'd imagine due to the nature of x86 platform, being interrupt based and forwarding table residing in memory the CPU has to access, theres a finite amount you can scale this without risking big disruptions from a relatively small DDoS. Not saying software platforms can't achieve good throughput, there has to be a realization of the limits of the platform, and when it shouldn't be used. Again, I personally use the Vyatta commercial software, and it works great, so I'm not knocking it. But I wouldn't consider it high-end performance when a few million PPS can lead to service disruptions. -- Brent Jones br...@servuhome.net Every tool has its use. Also, they have several different sized appliances. How much CPU use you get depends on how many cores you throw at the problem. They can use multiple cores/processors. The result given in one test might not match someone else's test if they have higher end hardware, maybe better than the appliances Vyatta ships. But the primary point I am trying to make is if you have an office with sub-gigabit connectivity and you need NAT and firewalling and VPNs, it might be a very cost-effective solution. It might not be a good solution in a different environment. It is sort of like pointing out that your neighbor's Accord doesn't have the performance characteristics of a Ferrari but your neighbor only drives in rush hour on roads with a maximum speed of 65 MPH. The Ferrari would cost much more money, cost more to support over time, and not get him to work any faster. If one is never going to pass enough traffic to get anywhere near the maximum performance of the unit anyway, why spend so much more money? Besides, on most integrated firewall/NAT/VPN units I have used in the past, I have run them out of CPU from VPN and NAT long before they ever reached their maximum traffic throughput.
Re: Netflix Is Eating Up More Of North America's Bandwidth Than Any Other Company
On Tue, May 24, 2011 at 10:48 PM, Lou Katz l...@metron.com wrote: An elegant idea, done in by changing technology. *sigh* As USENIX director I sponsored and sheparded this project, called Stargate. We at least got bits into the blanking interval at WTBS in Altanta. So... would this have been feasible today? given the bandwidth required to send a full feed these days, i suspect likely not, eh? (even if you were able to do it on all 500+ channels in parallel)
Re: Netflix Is Eating Up More Of North America's Bandwidth Than Any Other Company
- Original Message - From: Christopher Morrow morrowc.li...@gmail.com On Tue, May 24, 2011 at 10:48 PM, Lou Katz l...@metron.com wrote: An elegant idea, done in by changing technology. *sigh* As USENIX director I sponsored and sheparded this project, called Stargate. We at least got bits into the blanking interval at WTBS in Altanta. So... would this have been feasible today? given the bandwidth required to send a full feed these days, i suspect likely not, eh? (even if you were able to do it on all 500+ channels in parallel) I can't tell you whether it would be feasible from a *quantity* standpoint unless you specify what your group list is -- big 7 text? Probably. Problem is, it depended (as he noted) on a peculiarity of the network TV environment at the time: it wasn't part of the signal, but of the *transport* which -- at the time -- was carried around along with the signal, so you could piggyback stuff there, and get it right to people's TVs. MPEG2 and 4 don't carry the vertical interval, so any ride you can get isn't free -- rather similar to our Multicast discussion last week. Back in the really bad old days, I'm told that the most stable frequency source the average civilian could get was the 3.58MHz oscillator in a color TV set -- but *only* when you were watching *network* programs, at which time that oscillator was effectively phase-locked to a $50k+ black burst generator at network master control. Frame synchronizers shot that plan out of the water. Never been sure if that's apocryphal or not. Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
Re: Rogers Canada using 7.0.0.0/8 for internal address space
Please excuse my ignorance on this and note that I am not condoning the hijacking of IP address space. As long as necessary precautions are taken (route filters, tunnels, VRF's) shouldn't this be technically feasible without any negative ramifications? These 7-NET address seem to be assigned to the modem itself, but surely they aren't what the customer sees at thier WAN IP address right? So as long as the modem is configured to send ALL traffic, regardless of destination address (could be a 7NET dst) over a GRE tunnel to some aggregation point via its acquired 7-net address and all routers were to keep the 7net on a separate VRF, shouldn't they be able to avoid any IP collisions? Couldn't you theoretically use anyone's IP space, advertised or not, for this internal transit? I'm not saying it's a good idea, it's certainly more complex which leads to its own issues, but shouldn't it be possible? -Jeremy On Tue, May 24, 2011 at 9:50 PM, Steven Bellovin s...@cs.columbia.eduwrote: On May 24, 2011, at 9:29 06PM, Jay Ashworth wrote: - Original Message - From: Jimmy Hess mysi...@gmail.com On Tue, May 24, 2011 at 4:34 PM, vinny_abe...@dell.com wrote: I think those within the organization that deploy those vehicles or are Navy SEALs might sit at different lunch tables than the guys worried about IP address collisions. ;-) The F/A-18 Hornets, F/A-22 Raptors are well, and good, but that's old technology The folks in charge of the MQ-1 predator drones might sit closer to the guys worried about the IP addresses. And automated drone strikes can always be blamed on a malfunction caused by the hijacking If packets that control armed drones cross any router that has access even to SIPRnet, much less the Internet, someone's getting relieved. http://www.eweek.com/c/a/Security/Militants-Hack-Unencrypted-Drone-Feeds-477219/ --Steve Bellovin, https://www.cs.columbia.edu/~smb
Re: Rogers Canada using 7.0.0.0/8 for internal address space
From: valdis.kletni...@vt.edu Date: Tue, 24 May 2011 00:22:36 -0400 On Mon, 23 May 2011 21:14:02 PDT, Cameron Byrne said: Now, the onus is on the DoD to make its content available over unique IPv6 space so that the Roger's customers can get to it using the 6to4-PMT solution. There is always a solution. Which they should be ready to do already, since didn't the US Govt. mandate IPv6 support sometime last century? ;) Not really. Backbone networks were required tobe IPv6 capable back last decade, but no requirement for any end systems or services. (Nor was backbone network defined.) By October 1, 2012 all public services (web, mail, and DNS) must be IPv6 capable and reachable using native IPv6 via all carriers being used for public access. By October 1, 2014 all U.S. government services and networks must support IPv6. No tunnels. No special names for IPv6 services. It also includes any government sponsored services that are contracted out and government laboratories. Both some DOD and civilian network have been IPv6 capable for some years, there was no requirement for it. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: ober...@es.net Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751
Re: Rogers Canada using 7.0.0.0/8 for internal address space
On Tue, 24 May 2011 22:22:20 CDT, Jeremy said: As long as necessary precautions are taken (route filters, tunnels, VRF's) shouldn't this be technically feasible without any negative ramifications? The types of network designers who are able to cover *every single* little detail needed to make this sort of thing work are rarely the types of network designers that would snarf up somebody else's prefix to use for this sort of thing, and vice versa. pgp3Frad0IquX.pgp Description: PGP signature
Re: Rogers Canada using 7.0.0.0/8 for internal address space
On Tue, May 24, 2011 at 8:45 PM, valdis.kletni...@vt.edu wrote: On Tue, 24 May 2011 22:22:20 CDT, Jeremy said: As long as necessary precautions are taken (route filters, tunnels, VRF's) shouldn't this be technically feasible without any negative ramifications? The types of network designers who are able to cover *every single* little detail needed to make this sort of thing work are rarely the types of network designers that would snarf up somebody else's prefix to use for this sort of thing, and vice versa. I think you underestimate how truly common this practice is in private corners of large networks. I did not say good, but i did say common. And, it will become increasingly common. Look down on it as much as you want, but it is the reality. Squatting on (currently) unrouted space is the new NAT. CB CB
Re: Netflix Is Eating Up More Of North America's Bandwidth Than Any Other Company
On Tue, May 24, 2011 at 10:48 PM, Steven Bellovin s...@cs.columbia.edu wrote: It was TBS, in the 1980s: http://web.archive.org/web/19981203103811/www.stargate.com/history.html It used TBS because that was one of the first superstations, distributed to cable systems nationwide via satellite. oops - meant TBS :), that was it. - Max
Re: Rogers Canada using 7.0.0.0/8 for internal address space
On 25 May 2011 04:22, Jeremy jba...@gmail.com wrote: Please excuse my ignorance on this and note that I am not condoning the hijacking of IP address space. As long as necessary precautions are taken (route filters, tunnels, VRF's) shouldn't this be technically feasible without any negative ramifications? And that is why the US military is unlikely to contact anyone at Rogers. Lots of other companies have hijacked space like this. As I recall, Reuters global networks began using 7/8 (along with a whole bunch of other low numbered /8's), back in the mid 90's and nobody has complained about that. This kind of thing is becoming more common as more companies exhaust the RFC 1918 space, and the DOD addresses are the prime target for this borrowing activity because most folks feel that the DOD isn't likely to run into any technical networking problems with this borrowing. So we should CONDONE such borrowing and recommend a couple of /8s to use in North America. Perhaps one could be DOD for those operators that do not carry any DOD traffic and one could be that /8 from Softbank Japan, 126/8 if I recall it correctly. People who carry DOD traffic could borrow the APNIC block. This actually reduces the pressure on the IPv4 address supply without expensive carrier grade NAT services and makes the transition to IPv6 less turbulent. --Michael Dillon